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I.  THE  GENERAL  CONCEPTS  OF  MODAL  LOGIC 

In  the  hierarchic  development  of  logic  as  a  formalization  tool,  we 
can  observe  different  levels  of  variability.  Propositional  Calculus  was 
developed  to  express  constant  or  absolute  truth  stating  basic  facts  about 
the  universe  of  discourse.  This  framework  mainly  deals  with  the  question 
of  how  does  the  truth  of  a  composite  sentence  depend  on  the  truth  of  its 
constituents.  In  Predicate  Calculus  we  deal  with  variable  or  relative 
truth  by  distinguishing  the  statement  (the  predicate)  from  its  arguments. 

It  is  understood  that  the  statement  may  be  true  or  false  adcording  to  the 
individuals  it  is  applied  to.  Thus  we  may  regard  predicates  as  parameter¬ 
ized  propositions.  The  Modal  Calculus  adds  another  dimension  of  variability 
to  the  description  by  predicates.  If  we  contemplate  a  major  transition  in 
which  not  only  individuals  are  changed,  but  possibly  the  complete  structure 
of  basic  premises  and  meaning  of  predicates,  then  the  Modal  Calculus  suggests 
a  special  notation  to  denote  this  major  change.  Thus  any  chain  of  reasoning 
which  is  valid  on  Earth  may  become  invalid  on  Mars  because  some  of  the  basic 
concepts  naturally  used  on  Earth  may  assume  completely  different  meanings 
(or  become  meaningless)  on  Mars.  Conceptually,  this  calls  for  a  partition 
of  the  universe  of  discourse  into  worlds  of  similar  structure.  Variability 
within  a  world  is  handled  by  changing  the  arguments  of  predicates,  while 
changes  between  worlds  are  expressed  by  the  special  modal  formalism. 

Consider  for  example  the  statement:  "It  rains  today."  Obviously,  the 

truth  of  such  a  statement  depends  on  at  least  two  parameters:  The  date  and 

location  at  which  it  is  stated.  Given  a  specific  date  t  and  location  £ 

o  o 

the  specific  statement:  "It  rains  at  l  on  t  "  has  propositional 
character,  i.e.,  it  is  fully  specified  and  must  either  be  true  or  false.  We 


may  also  consider  the  fully  variable  predicate  rain  (£,t)  :  "It  rains  at 
£  on  t  "  which  gives  equal  priority  to  both  parameters.  The  modal 
approach  distinguishes  two  levels  of  variability.  In  this  example,  we  may 
choose  time  to  be  the  major  varying  factor,  and  the  universe  to  consist  of 
worlds  which  are  days.  Within  each  day  we  consider  the  predicate  rain(£) 
which,  given  the  date,  depends  only  on  the  location.  Alternately,  one  can 
choose  the  location  to  be  the  major  parameter  and  regard  the  raining  history 
of  each  location  as  a  distinct  world. 

As  is  seen  from  this  example,  the  transition  from  Predicate  Logic  to 
Modal  Logic  is  not  as  pronounced  as  the  transition  from  Propositional  Logic 
to  Predicate  Logic.  For  one  thing  it  is  not  absolutely  essential.  We  could 
manage  quite  reasonably  with  our  two  parameter  predicates.  Secondly,  the 
decision  as  to  which  parameter  is  chosen  to  be  the  major  one  may  seem 
arbitrary.  It  is  strongly  influenced  by  our  intuitive  view  of  the  situation 

In  spite  of  these  qualifications  there  are  some  obvious  advantages  in 
the  introduction  and  use  of  modal  formalisms.  It  allows  an  explicity  dis¬ 
crimination  of  one  parameter  as  being  appreciably  more  significant  than 
all  the  others,  and  makes  the  dependence  on  that  parameter  implicit.  Now¬ 
adays,  when  increasing  attention  is  paid  to  the  clear  correspondence  between 
sumtax  and  natural  reasoning  (as  is  repeatedly  stressed  by  the  discipline  of 
Structured  Programming) ,  it  seems  only  appropriate  to  introduce  extra 
structure  into  the  description  of  varying  situations.  Thus  a  clear  distinc¬ 
tion  is  made  between  variation  within  a  state,  which  we  express  using  predi¬ 
cates  and  quantifiers,  and  variation  from  one  state  to  another,  which  we 
express  using  the  modal  operators. 

The  general  modal  framework  considers  therefore  a  universe  which  con¬ 
sists  of  many  similar  states  (or  worlds)  and  a  basic  accessibility  relation 


between  the  states,  R(s,s')  ,  which  specifies  the  possibility  of  getting 
from  one  state  s  into  another  state  s'  . 

Consider  again  the  example  of  the  universe  of  rainy  days.  There,  each 
state  is  a  day.  A  possible  accessibility  relation  might  hold  between  two 
days  s  and  s'  if  s'  is  in  the  future  of  s  . 

The  main  notational  idea  is  to  avoid  any  explicit  mention  of  either 
the  state  parameter  (date  in  our  example)  or  of  the  accessibility  relation. 
Instead  we  introduce  two  special  operators  which  describe  properties  of 
states  which  are  accessible  from  a  given  state  in  a  universe. 

The  two  modal  operators  introduced  are  □  (called  the  necessity  oper¬ 
ator)  and  0  (called  the  possibility  operator) .  Their  meaning  is  given  by 
the  following  rules  of  interpretation,  informally  expressed,  in  which  we 
denote  by  |w|s  the  truth  value  of  the  formula  w  in  a  state  s 

low|s  «Vs'[R(s,s')  3  |w|gf] 

|0w|  ■  3s'  [R(s,s')  A  |w|  ,]  . 

Thus,  ow  is  true  at  a  state  s  if  the  formula  w  is  true  at  all 
states  R-accessible  from  s  .  Similarly,  Ow  is  true  at  a  state  s  if 
w  is  true  in  at  least  one  state  R-accessible  from  s  . 

A  modal  formula  is  a  formula  constructed  from  proposition  symbols,  pre¬ 
dicate  symbols,  function  symbols,  individual  constants  and  individual  varia¬ 
bles,  the  classic  logic  operators  (including  equality)  and  quantifiers,  and 
the  modal  operators.  The  truth  value  of  a  modal  formula  at  a  state  in  a 
universe  is  found  by  a  repeated  use  of  the  rules  above  for  the  modal  oper¬ 
ators  and  evaluation  of  any  classic  (non-modal)  subformula  on  the  state 


Itself.  It  Is  of  course  assumed  that  every  state  contains  a  full  interpre¬ 
tation  for  all  the  predicates  in  the  formula. 

For  example,  the  formula  rain(2.)  I>0~rain(2,)  is  interpreted  in  our 
model  of  rainy  days  as  stating:  For  a  given  day  and  a  given  location  2.  , 
if  it  rains  on  that  day  at  J l  then  there  exists  another  day  in  the  future 
on  which  it  will  not  rain  at  2,  ;  thus  any  rain  will  eventually  stop. 
Similarly,  rain(2,)  3  o  rain (2.)  claims  that  if  it  rains  on  that  day  it  will 
rain  everafter.  Note  that  any  modal  formula  is  always  considered  with 
respect  to  some  fixed  reference  state,  which  may  be  chosen  arbitrarily.  In 
our  example  it  has  the  meaning  of  *  today'. 

Consider  the  general  formula  0  ~  w  =  ~o  w  .  As  we  can  see  from  the 
definitions  this  claims  that  there  exists  an  accessible  state  satisfying  ~w 
if  and  only  if  it  is  not  the  case  that  all  accessible  states  satisfy  w  . 

This  formula  is  true  in  any  state  for  any  universe  with  an  arbitrary  R  . 

Given  a  more  precise  definition,  a  universe  consists  of  a  set  of  states 
(or  worlds),  on  which  a  relation  R  ,  called  accessibility  relation,  is  de¬ 
fined.  Each  state  provides  a  domain  and  a  first-order  interpretation  over 
the  domain  to  all  the  proposition  symbols,  predicate  symbols,  function 
symbols,  individual  constants,  and  individual  variables  in  the  vocabulary 
under  consideration.  A  formula  which  is  true  in  all  states  of  every  universe 
is  called  valid.  Thus  the  above  formula  0~w  =  ~  Dw  is  a  valid  formula. 

Following  is  a  list  of  some  valid  formulas: 

Al* .  0  -  w  =  -  D  w  . 

This  establishes  the  connection  between  "necessity"  and  "possibility". 

A2*.  D  (Wj^  3  w2)  D  (pw^  o  w2)  , 
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i.e.,  if  in  all  accessible  states  D  holds  and  also  w^  is  true  in 
all  accessible  states,  then  must  also  be  true  in  all  of  these  states. 

The  formulas  Al*  and  A2*  are  valid  for  any  accessibility  relation. 
If  we  agree  to  place  further  general  restrictions  on  the  relation  R  ,  we 
obtain  additional  valid  formulas  which  are  true  for  any  model  with  a 
restricted  relation.  According  to  the  different  restrictions  we  may  impose 
on  R  we  obtain  different  modal  systems.  In  our  discussion  we  stipulate 
that  R  is  always  reflexive  and  transitive. 

A3*.  □  w  D  w  (equivalently  w  D  Ow) 

This  formula  is  valid  for  any  reflexive  model.  It  claims  for  a  state  s 
that  if  all  states  accessible  from  s  satisfy  w  ,  then  w  is  satisfied 
by  s  itself.  This  is  obvious  since  s  is  accessible  from  itself  (by 
ref lexivity) . 

A4*.  □  w  D  now  (equivalently  OOwDOw)  . 

This  formula  is  valid  for  transitive  models.  The  equivalent  form  claims 

that  if  there  exists  an  s_  accessible  from  s,  which  is  accessible  from 

2  1 

s  such  that  S£  satisfies  w  ;  then  there  exists  an  s^  accessible  from 
s  which  satisfies  w  .  By  transitivity  S£  is  also  accessible  from  s 
and  we  may  take  s^  =  82  . 

Having  a  list  of  valid  formulas,  it  is  natural  to  look  for  an  axiomatic 
system  in  which  we  take  some  of  these  formulas  as  basic  axioms  and  provide 
a  set  of  sound  inference  rules  by  which  we  hope  to  be  able  to  prove  other 
valid  formulas  as  theorems.  In  order  to  denote  the  fact  that  a  formula  w 
is  a  theorem  derivable  in  our  logical  system  we  will  write  f-  w  .  This 


r-J  rrw  ,  j-fc 


M  '  rrf  i  rw 


will  be  the  case  If  w  Is  an  axiom  or  derivable  from  the  axioms  by  a  proof 
using  the  Inference  rules  of  the  system. 

Axioms : 


Al. 

|—  0  ~  W  i  'OW 

A2. 

h  °(w1  D  w2)  D  (  oW;L 

D  °w2) 

A3. 

(-  Dw  D  w 

A4. 

|-  owDoow 

The  Inference  rules  are: 

Rl.  If  w  is  an  Instance  of  a  propositional  tautology,  then 


rw 

(Tautology  Rule) 

R2. 

If  h 

W1"5W2  ant*  W1  t*ien  h  w2 

(Modus  Ponens) 

R3. 

«  h 

w  then  |—  o  w 

(Modal  Generalization) 

All  these  rules 

are  sound.  The  soundness  of  Rl 

and  R2  is  obvious. 

Note  that  in  Rl  we  also  Include  modal  instances  of  tautologies,  e.g., 
ow  D  ow  .  To  justify  R3  we  recall  that  validity  of  w  means  that  w  is 
true  in  all  states  of  every  universe,  hence  aw  is  also  valid. 

This  system  provides  a  logical  basis  for  propositional  reasoning.  In 
the  Modal  Logic  circles  this  system  is  known  as  S4  (see,  e.g.,  [H&C]). 

Some  theorems  which  can  be  derived  in  that  system  are: 

Tl.  (-  w  D  Ow 

T2.  (-  A  w2)  =  DW^A  dw2 

T3.  [-  D  w2)  D  (owj^  DOw2) 

T4.  f-  0(w^  v  w2)  =  Ow^  v  0w2  . 

Note  that  because  of  the  universal  character  of  □  it  commutes  with 
a  ,  while  0  which  is  existential  commutes  with  v  . 
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T5.  |—  0(w^a  w2) 

T6.  (-  (pWj^v  ow2)  D  D  (w^v  w2> 

T7.  (-  dw1a  Ow2  D  0  (w^a  w2) 

T8.  f—  nw  =  □□  w 

T9.  (-  Ow  =  OOw  . 

Because  of  these  last  two  theorems  we  can  collapse  any  string  of  con¬ 
secutive  identical  modalities  such  as  □  . .  or  0  •  •  .0  into  a  single 
modality  of  the  same  type. 

Since  we  intend  to  use  predicates  in  our  reasoning  we  have  to  extend 
our  system  to  include  some  axioms  and  rules  involving  quantifiers  and 
their  interaction  with  modalities: 

PI.  b  (Vxw(x))  D  w(t) 

where  t  is  any  term  "free  for  x"  in  w  . 

P2.  b  (Vxow)  D  (dVxw)  (Barcan's  Formula). 

The  last  implies  the  commutativity  of  V  with  o  ,  both  having  universal 

character  with  one  quantifying  over  individuals  while  the  other  quantifying 
over  states. 

An  additional  rule  of  inference  is: 

R4.  If  b  3  w2  then  b  ^  V  xw2 

provided  w^  does  not  contain  free  occurrences  of  x  . 

Some  theorems  of  the  predicate  modal  system  are: 

T10.  b  (Vxow)  =  (oVxw) 

Til.  b  (3  xOw)  =  (0  3xw)  . 

The  system  consisting  of  axioms  A1-A4,  PI,  P2,  and  rules  R1  -  R4 
has  been  shown  to  be  complete  (see  [H&C]). 
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In  this  next  section  we  consider  the  application  of  the  general  modal 
framework  to  the  analysis  of  programs.  For  the  class  of  universes  which 
are  used  there,  the  states  in  a  given  universe  all  share  the  same  domain 
D  and  may  differ  by  at  most  the  values  assigned  to  proposition  symbols 
and  individual  variables.  Such  restricted  universes  are  called  D-universes 
Since  in  such  universes  the  assignment  to  all  the  other  symbols  is  common 
to  all  states,  we  may  associate  this  common  part  of  the  interpretation  with 
the  universe  itself  rather  than  with  each  state.  Thus,  a  D-universe  can  be 
defined  to  consist  of:  The  domain  D  ,  a  common  partial  D-interpretation, 
a  set  of  states  each  of  which  gives  an  assignment  to  the  rest  of  the  propo¬ 
sition  symbols  and  individual  variables,  and  an  accessibility  relation  on 
the  states.  Typical  D  domains  are  the  domain  N  of  natural  numbers,  the 
domain  Z  of  integers,  the  domain  R  of  real  numbers,  the  domain  L  of 
lists,  the  domain  T  of  trees,  etc. 

A  formula  w  over  a  domain  D  is  any  partially  interpreted  modal 
formula  which  may  contain  concrete  predicates,  functions,  and  individual 
elements  over  D  ,  as  well  as  uninterpreted  predicate  symbols,  function 
symbols,  individual  constants  and  individual  variables.  A  formula  which  is 
true  in  all  states  of  all  D-universes  for  a  fixed  D  is  called  a  D-valid 
formula. 

The  following  are  some  examples  of  D-valid  formulas  for  different  D's 
Each  instance  of  the  formula  schema: 

A(0)  a  V n [A(n)  D  A(n+1)]D  A(k) 

is  an  N-valid  formula.  This  partially  interpreted  formula  schema  represents 
the  induction  principle  over  the  natural  numbers. 


Similarly,  each  instance  of  the  schema: 


Vt  [(VtUt)  A(t')  D  A(t)  ]  D  A(t) 

i9  a  T-valid  formula,  where  ' ^ '  denotes  the  subtree  relation  between 
trees.  This  states  the  complete  induction  principle  over  trees. 

II.  MODAL  LOGIC  APPLIED  TO  PROGRAM  ENVIRONMENT 

In  this  section  we  apply  the  general  concepts  of  Modal  Logic  to  situ¬ 
ations  generated  by  the  execution  of  programs.  To  simplify  the  presentation 
we  will  only  consider  deterministic  programs.  The  power  and  elegance  of  the 
modal  method  are  even  more  pronounced  in  dealing  with  nondeterministic  and 
parallel  programs. 

For  the  concept  of  a  state  we  will  take  an  "execution  state"  which  con¬ 
sists  of  the  current  values  of  all  program  variables  at  a  certain  stage  in 
the  execution.  The  accessibility  relation  between  execution  states  will 
represent  derivability  by  the  program's  execution.  We  will  use  predicates 
nd  ->uantifiers  to  describe  properties  of  a  single  state  and  modalities  to 
deso  properties  of  the  execution  leading  from  one  state  to  another. 

Let  t  consider  some  particular  program  A  with  n  program  variables 

y  *  •  Assume  that  the  program  operates  over  a  domain  D  .  Let 

£q,£^, *** »^e  **e  3  Set  labels»  labeling  every  statement  of  the  program. 

ln  is  the  single  entry  point  and  £  the  single  exit  point.  An  execution 
u  e  - 

state  has  the  general  structure  s  =  <£,n>  with  £  E  {£,...,£  }  and 

u  e 

H  E  Dn  .  For  every  input  £  ,  the  program  generates  an  execution  sequence: 

0  1 

0  S  y  S  9  •  •  • 

where  s^  =  <£^,£>  ,  and  each  s^  is  an  execution  state. 
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The  basic  accessibility  relation  R  holds  between  two  states  <£  ,T)> 
and  <5,,,r),>  if  there  exists  a  computation  path  from  £  to  £’  which 
transforms  n  at  £  to  n '  at  £ ' 

With  these  conventions  we  will  proceed  to  express  meaningful  proper¬ 
ties  of  programs  and  their  executions.  Remember  that  under  our  rules  of 
the  game  we  are  never  to  mention  R  explicitly. 

The  formulas  we  will  consider  will  use  a  basic  vocabulary  which  in¬ 
cludes  a  set  of  special  propositions: 

at£g,  at£^ . at®-e» 

each  corresponding  to  one  of  the  labels.  In  addition  we  will  allow  arbi¬ 
trary  predicates  over  the  y  (program  variables)  and  additional  auxiliary 
variables  u  .  We  assume  that  only  the  y's  change  from  one  state  to 
another,  while  the  u's  ,  being  external,  remain  fixed.  Let  Q  denote 
the  fixed  values  of  the  auxiliary  variables.  The  truth  value  of  an  atomic 
formula  at  a  state  s  =  <£,n>  is  given  as  follows: 

at£^  is  true  at  s  iff  £^  =  £  . 
p(y,u)  is  true  at  s  iff  p(h»C)  =  true  . 

The  truth  value  of  a  non-atomic  formula,  possibly  containing  modalities, 
is  determined  by  the  classic  rules  and  the  rules  for  interpreting  modali¬ 
ties  given  above. 

Note  that  our  definition  of  a  state  here  conforms  with  the  general 
convention  of  D-universes.  The  specification  of  a  state  only  specifies 
the  elements  by  which  one  state  may  differ  from  another,  namely,  proposi¬ 
tions  (at£Q,at£^,. . . ,at£e)  and  the  values  assigned  to  some  of  the 
individual  free  variables  (y^,...»yn)  • 
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1.  Invariance  Properties 


Consider  first  the  class  of  program  properties  which  are  expressible 
by  formulas  of  the  form 

Wq  Dow  . 

In  the  general  modal  context  such  a  formula  claims  that  w  holds  true  in 
all  states  R-accessible  from  any  state  satisfying  Wq  .  In  our  programming 
context  we  will  often  take  w^  as  at£g  A  y  =  C  >  which  exactly  characterizes 
the  initial  state,  and  then  we  have 

(atfi,Q  a  y  -  O  Dow  . 

Then  this  states  that  w  is  true  for  all  states  arising  during  execution. 

A  formula  of  this  form  therefore  expresses  an  invariance  property. 

Samples  of  important  properties  which  fall  under  this  category  are: 

A.  Partial  Correctness.  Let  </>(x)  be  a  precondition  which  restricts  the 
set  of  inputs  for  which  the  program  is  supposed  to  be  correct,  and  ip(x,y) 
the  statement  of  its  correctness,  i.e.,  the  relation  which  should  hold 
between  the  input  values  x  and  the  output  values  y  .  Then  in  order  to 
state  partial  correctness  w.r.t.  we  can  write: 

(atJtQ  a  y  =  x  A  ip  (x) )  D  o(at£,e  D  i|>(x,y))  • 

This  claims  that  if  the  initial  state  satisfies  the  restricting  precondition, 
then  in  any  state  accessible  from  the  initial  state:  If  that  state  happens 
to  be  the  exit  state  then  \p(x,y)  holds  between  the  input  values  x 

and  the  current  y  values.  Thus  this  formula  states  that  all  convergent 
^-sequences  terminate  in  a  state  satisfying  ip  ,  but  it  does  not  guarantee 
termination  itself. 

Let  us  consider  a  concrete  example  (a  program  computing  x!  over  the 


natural  numbers) : 
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begin  i2'.  (y^y^  ■*-  (y^l,  y1*y2)  5 

V  goto  Z1 

end  ; 

A  :  Halt, 
e 

The  statement  of  its  partial  correctness  is 

(ati,Q  a  y1»x  a  x  *  0)  D  □ (atl^  D  y2  =  x! )  . 

This  is  indeed  an  inherently  invariant  property  since  it  is  actually 
only  a  part  of  a  bigger  global  invariant  which  represents  the  "network  of 
invariants"  normally  used  in  the  Invariant-Assertion  Method  (see  [FLO]), 
namely: 

□  (atS,Q  a  y^=x  a  x^O)  D  [(at^  D  y^O  a  y2*y^l-x!)  a 

(at£2  D  y^>0  a  y2*y1!=x!)  a 
(at&3  D  y^O  a  y2*y1»=x!)  a 
(atJLg  D  y^O  a  y2=x!)]  . 

B.  Clean  Behavior.  For  every  location  in  a  program  we  can  formulate  a 
cleanness  condition  which  states  that  the  statement  at  this  location  will 
execute  successfully  and  generate  no  fault.  Thus  if  the  statement  contains 
division,  the  cleanness  condition  will  include  the  clause  that  the  divisor 
is  nonzero  or  not  too  small  to  avoid  arithmetic  overflow.  If  the  statement 
contains  an  array  reference,  the  cleanness  condition  will  imply  that  the 
subscript  expressions  do  not  exceed  the  declared  range.  Denoting  the 
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cleanness  condition  at  location  i  by  ,  the  statement  of  clean 
behavior  is: 

(atS,g  A  yj  (y))  D  □  (  £  (atJt±  D  a±))  . 

The  conjunction  is  taken  over  all  "potentially  dangerous"  locations  in  the 
program. 

For  example,  the  program  PI  above  should  produce  only  natural  number 
values  during  its  computation.  A  cleanness  condition  at  ,  which  is 
clearly  a  critical  point,  is: 

(at£Q  a  y^O)  D  a  (atA2  D  y^O) 

guaranteeing  that  the  subtraction  at  &2  always  yields  a  natural  number. 

C.  Global  Invariants.  Very  frequently,  cleanness  conditions  are  not 
related  to  any  particular  location.  More  generally,  some  other  properties 
may  be  "truly"  invariant  independent  of  the  location.  In  these  cases  we 
speak  of  global  invariants  unattached  to  any  particular  location.  The 
expression  of  global  invariance  is  even  more  straightforward.  Thus  to  claim 
for  the  example  above  that  y^  is  always  a  natural  number,  we  may  write: 

(at£Q  a  y^O  a  integer (y^) )  DoCy^O  a  integer^))  . 

Another  global  invariant  valid  for  this  example  is: 

(atJ,Q  a  (y1,y2)  *  (x,l))  D  o(y2*y1!  =  x!)  , 

which  states  that  everywhere  in  the  execution  y2*y^!  *  x* 

Similarly,  to  ensure  subscript  cleanness  we  may  claim  global  invariants 

(at a  <p  (y) )  D  □  (0  (  I  i  N)  . 


of  the  form: 


Another  example  of  the  usage  of  Invariants  is  in  the  context  of  a  pro¬ 
gram  whose  output  is  not  necessarily  apparent  at  the  end  of  the  execution; 
for  example,  a  program  whose  output  is  printed  on  an  external  file  during 
the  computation.  Consider  a  program  for  printing  a  sequence  of  prime  numbers. 
Let  £  be  any  location  which  contains  a  "print"  instruction  of  form: 

£:  print (y)  . 

Then  a  part  of  the  correctness  statement  for  such  a  program  is: 

wQ  D  □  (at£  D  prime (y) ) 

for  all  print  locations  £  .  It  indicates  that  nothing  but  primes  is 
printed. 

Note  that  this  property  may  specify  the  partial  correctness  even  of 
continuous  programs,  i.e.,  programs  which  are  not  supposed  to  terminate  but 
to  operate  continuously. 

Even  though  our  main  interest  in  this  paper  is  in  deterministic  programs, 
we  cannot  resist  illustrating  the  efficacy  of  the  modal  formalism  for 
parallel  programs. 

A  state  in  the  execution  of  two  parallel  processes  will  be  structured 
as:  s=<£1,£2;n>  ,  i.e.,  it  will  contain  references  to  locations  in  both 
processes.  These  references  are  tested  by  the  propositions  at£^,  at£2  for 
all  locations  £^  and  £2  in  the  two  processes. 

D.  Mutual  Exclusion.  Let  us  consider  first  the  property  of  Mutual  Exclusion. 
Let  two  processes  and  P2  execute  in  parallel.  Assume  that  each  process 

contains  a  section  ,  i  =  l,2,  which  includes  some  task  critical  to  the 

cooperation  of  the  two  processes.  For  example,  it  might  access  a  shared 


device  (such  as  a  disk)  or  a  shared  variable.  If  the  nature  of  the  task  is 
such  that  it  must  be  done  exclusively  by  one  process  or  the  other,  but  never 
by  both  of  them  simultaneously,  we  call  these  sections  critical  sections. 

The  property  that  states  that  the  processes  are  never  simultaneously  execut¬ 
ing  in  their  respective  critical  sections  is  called  Mutual  Exclusion  with 
respect  to  this  pair  of  critical  sections. 

The  property  of  mutual  exclusion  for  and  C 2  can  be  described  by: 

wQ  D  □  ( ~  (ati^  a  at£2>) 

for  every  pair  of  labels  Jl^  G  and  e  ^  *  T^8  8tates  that  it  is 

never  the  case  that  the  joint  execution  of  the  processes  reaches  and 

fl,2  simultaneously.  Hence,  mutual  exclusion  is  implied.  In  practice,  one 
does  not  have  to  actually  consider  all  possible  pairs  6  . 

E.  Deadlock  Freedom.  A  standard  synchronization  device  in  concurrent 
systems  is  the  semaphore  which  is  implemented  by  the  atomic  instructions: 

p(x):  x>  0  -*■  (x-«-x-l] 
v(x)  :  x  *■  x+1  . 

A  process  reaching  a  p(x)  instruction  will  proceed  beyond  it  only  if 
x>0  and  then  it  will  decrement  x  by  1  ,  usually  setting  it  to  0  .  No 
further  process  may  go  beyond  a  p(x)  instruction  until  somebody  (in  all 
probability  the  process  that  has  just  decremented  x  )  will  perform  a  v(x) 
operation.  Increasing  x  to  1  . 

A  concurrent  system  consisting  of  n  parallel  processes  is  said  to  be 
deadlocked  if  none  of  the  processes  can  execute  any  further  step.  If  we 
assume  that  the  only  synchronization  device  in  a  system  is  semaphores,  then 
the  only  possibility  for  a  deadlock  is  the  situation: 


fcj^pCx  ) 


i,  :p(x  ) 
n 

• 

for  some  locations  (£.  belonging  to  process  i  ),  where  all  n 

1  n  1 

of  the  processes  in  the  system  are  currently  waiting  for  'p'  operations 

on  the  semaphore  variables  x'*' . x11  (not  necessarily  distinct)  while 

12  n  n 

To  exclude  this  possibility  we  can  require: 

n  n  . 

w =>°<  A  at£  D  V  (x  >0))  . 

i*=l  1  i=l 

This  requires  that  whenever  all  the  processes  are  each  at  the  £,^:  p(x*) 
operation,  i*l,...,n  ,  at  least  one  of  the  x^'s  must  be  positive.  The 
corresponding  process  can  then  proceed. 

In  order  to  completely  eliminate  the  possibility  of  deadlock  in  the 
system,  we  must  impose  a  similar  requirement  for  every  n-tuple  of  'p' 
locations . 


2.  Eventuality  Properties 

A  second  category  of  properties  are  those  expressible  by  formulas  of 
the  form: 

W1  D  ^w2  * 

In  the  general  context  this  means  that  if  at  any  state  s^  ,  w^  is  true, 
there  exists  a  state  >  R-accessible  from  s^  ,  in  which  W2  is  true. 

In  the  programming  context  it  means  that  if  w^  ever  arises  during 
execution,  it  will  eventually  be  followed  by  another  state  in  which  W2  is 
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true.  A  formula  of  this  form  therefore  expresses  an  eventuality  property. 
Following  are  some  samples  of  properties  expressible  by  formulas  of  this 
form. 

A.  Total  Correctness.  A  program  is  said  to  be  totally  correct  w.r.t.  a 

specification  ,ip)  ,  if  for  every  input  £  satisfying  < fi(£)  ,  termin¬ 
ation  is  guaranteed,  and  the  final  values  y«n  upon  termination  satisfy 
i(j(£,n)  •  Once  more,  let  denote  the  entry  location  and  the  exit 

location  of  the  program.  Total  correctness  w.r.t.  (<p,ip)  is  expressible  by: 

(atS.Q  a  y*x  a  ip  (x) )  D  0  (ati,g  a  \p(x,y))  . 

This  says  that  if  we  have  an  execution  sequence  which  begins  in  a  state 
which  is  at  location  and  has  values  y  ■  x  satisfying  <p  ,  then  later 

in  that  execution  sequence  we  are  guaranteed  to  have  a  state  which  is  at 
l  and  satisfies  \p(x,y)  . 

For  example,  the  statement  of  total  correctness  of  the  program  PI  for 
the  computation  of  x!  is: 

(atJ,Q  a  y^=x  a  x^O)  3  0(atJLe  a  y^x!)  . 

B.  General  Eventualities.  Eventuality  formulas  enable  us  to  express  a 
causality  relation  between  any  two  events,  not  only  between  program  initial¬ 
ization  and  termination  but  also  between  events  arising  during  the  execution. 
This  becomes  especially  important  when  discussing  continuously  executing 
programs,  i.e.,  where  termination  is  not  expected.  The  general  form  of  such 
an  eventuality  is: 

(atS^  a  D  0  (at&2  A  ^ 

and  it  claims  that  whenever  <p  ^  arises  at  we  are  guaranteed  of  event¬ 
ually  reaching  with  < p^  true.  This  is  the  exact  formalization  of  the 


basic  Intermittent-Assertion  statement  (see  [M&W]): 

"If  sometimes  at  £^  ,  then  sometimes  ^  at  £ ^  ." 

Consider  for  example  the  program  for  printing  successive  prime  numbers. 
Under  the  invariance  properties  we  expressed  the  claim  that  nothing  but 
primes  are  printed.  Here  we  can  state  that  the  proper  sequence  of  primes 
is  produced.  Let 

£:  print (y) 

be  the  only  printing  instruction  in  the  program.  Then  the  following  two 
clauses  ensure  the  desired  property: 

adtg  DO(at£  a  y=2) 

(at£  a  y=x)  DO(at£  a  y=nextprime(x))  . 

The  first  statement  assures  arrival  at  £  with  y  being  the  first  prime. 

The  second  claim  ensures  that  after  any  prime  is  printed  the  next  prime  in 
sequence  will  eventually  be  printed. 

Note  that  these  statements  do  not  guarantee  that  some  primes  are  not 
printed  more  than  once  or  out  of  sequence,  but  they  do  guarantee  that  all 
printed  results  are  primes,  and  that  a  subsequence  of  the  printed  results 
is  the  ascending  sequence  of  primes. 

Again,  let  us  allow  ourselves  a  short  excursion  into  the  world  of 
parallel  programs. 

C.  Accessibility.  Consider  again  a  process  which  has  a  critical  section  C 
In  the  previous  discussion  we  have  shown  how  to  state  exclusion  or  protection 
for  that  section.  A  related  property  is  that  of  accessibility,  that  if  a 
process  wishes  to  enter  its  critical  section,  it  will  eventually  get  there 
and  will  not  be  indefinitely  held  up  by  the  protection  mechanism. 
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Let  be  a  location  just  before  the  critical  section.  The  fact  that 

the  process  is  at  indicates  an  intention  to  enter  the  critical  section. 

Let  S>2  be  a  location  inside  the  critical  section.  The  property  of  accessi¬ 
bility  can  then  be  expressed  by: 

at D  0at&2  » 

namely,  whenever  the  program  is  at  ,  it  will  eventually  get  to  . 

A  correct  construction  of  critical  sections  should  ensure  these  two 
complementary  properties:  that  of  protection  (exclusiveness)  and  that  of 
accessibility. 

D.  Responsiveness .  Consider  an  example  of  a  program  modeling  an  operating 
system.  Assume  that  it  serves  a  number  of  customer  programs  by  scheduling 
a  shared  resource  between  them.  Let  the  customer  programs  communicate  with 
the  operating  system  concerning  a  given  resource  via  a  set  of  boolean 
variables  (r^.g^  .  r^  is  set  to  true  by  customer  program  number  i  to 
signal  a  request  for  the  resource,  g^  is  set  to  true  by  the  operating 
system  to  signal  that  customer  i  is  granted  the  use  of  the  resource.  The 
statement  that  the  operating  system  fairly  responds  to  user  requests  — 
responsiveness  —  is  given  by: 

ri  30si 

i.e.,  whenever  r^  becomes  true,  eventually  g^  will  turn  true. 

Note  that  since  these  events  are  global  and  not  attached  to  any  specific 
location,  they  can  model  external  events  such  as  interrupts  and  unsolicited 
signals. 
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III.  PROOF  SYSTEMS 


After  giving  some  evidence  of  the  power  of  the  modal  notation  in 
expressing  interesting  program  properties,  we  should  search  next  for  proof 
systems  in  which  these  properties  can  be  formally  established.  Obviously, 
the  basis  for  all  such  systems  will  be  the  general  S4  framework  introduced 
above.  However,  this  basis  must  be  augmented  by  additional  axioms  and 
rules,  reflecting  the  properties  of  the  domain  and  the  structure  of  the 
program  under  consideration.  These  additional  conditions  will  constrain 
the  accessibility  relation  R(s,s')  to  represent  the  relation  of  s' 
being  derivable  from  s  by  an  execution  of  the  program.  This  releases  us 
from  the  need  to  express  program  text  syntactically  in  the  system;  instead 
all  necessary  information  is  captured  by  the  constraints  on  the  accessibil¬ 
ity  relation  as  expressed  by  the  additional  axioms. 

Our  proof  systems  will  therefore  consist  of  three  parts:  a  general 
part  which  contains  S4-like  axioms,  elaborating  the  general  properties  of 
the  relation  R  ;  a  proper  part  which  gives  an  axiomatic  description  of  the 
domain;  and  a  local  part  consisting  of  axiom  schemata  which  generate  a  set 
of  local  axioms  for  any  particular  program.  The  local  axioms  constrain  the 
state  sequences  to  those  considered  to  be  execution  sequences  of  the  program 
under  study. 

1.  The  sometime  system. 

Our  simpler  system,  called  here  the  sometime  system,  is  based  on  S4. 

A.  General  Part:  The  general  part  consists  of  the  following  S4  axioms: 

Al.  (-  0~ w  =  ~D  w 

A2 .  (-  o(w1  Dw^)  D  (dw^Dd  Wy) 
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A3.  (—  o  w  D  w 

A4 .  }—  □  w  D  o  □  w 

PI.  |—  (V  x  w(x))  D  w(t) 

where  t  is  "free  for  x"  in  w  . 
P2.  J—  (V  xdw)  D  (oVxw)  . 

The  rules  of  the  inference  are: 


Rl. 

If  w 

is  an 

instance  (possibly  modal)  of  a  tautology. 

then 

b  w  . 

R2. 

If  h 

w1Dw2 

and  b  »  then  b  w2  • 

R3. 

If  h 

w  ,  then  b  D  w  • 

R4. 

If  b 

"lD”2 

,  then  b  ^  V  xw£ 

provided  w.. 

does  not  contain  free  occurrences  of  x  . 

This  system  generally  constrains  R  to  be  reflexive  (A3)  and  transi¬ 
tive  (A4) . 

B.  Proper  part:  The  next  part  of  the  system  contains  a  set  of  proper 
axioms  and  axiom  schemata.  These  axioms  specify  all  the  needed  properties 
of  the  domain  of  interest.  Thus,  to  reason  about  programs  manipulating 
natural  numbers,  we  need  the  set  of  Peano  axioms.  To  reason  about  trees  we 
need  a  set  of  axioms  giving  the  basic  properties  of  trees  and  of  the  basic 
operations  defined  on  them.  An  essential  axiom  schema  for  every  domain 
should  be  the  induction  axiom  schema.  This  (and  all  other  schemata)  should 
be  formulated  to  admit  modal  instances  as  subformulas.  Thus  the  induction 
principle  for  natural  numbers  is: 

J-  A(0)  A  Vn[A(n)  D  A(n+1)]  D  A(k) 

A  modal  instance  of  this  principle  which  will  be  used  later  is: 
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Induction  Theorem: 


(-  D(P(0)  DO4;)  a  Vn[a(P(n)  DO  ,)  D  a(P(n+l)  DOip)]  D  o(P(k)  DOip)  . 

Similar  induction  theorems  will  exist  for  any  other  set  of  proper  axioms 
which  depend  on  natural  well-founded  orderings  existing  in  the  domain. 

C.  Local  part:  The  axioms  and  rules  above  represent  the  general  framework 
needed  for  our  reasoning.  Next  we  introduce  a  set  of  local  axioms  which 
depend  on  the  particular  program  to  be  analyzed. 

The  first  axiom  depends  only  on  the  identity  of  the  program  variables. 
Let  w  be  any  formula  which  does  not  contain  any  program  variables  or  pro¬ 
positions  at^  ,  then  the  following  is  an  axiom: 

Frame  Axiom:  (—  w  D  aw  . 

The  justification  hinges  on  the  fact  that  R-related  states  may  differ  from 
one  another  only  in  the  assignments  to  program  variables. 

A  second  generic  axiom  states  that  every  state  s  has  exactly  one 

label  such  that  at£^  is  true. 

e 

Location  Axiom:  |—  £  at£.  =  1  . 

i=0  1 

We  use  here  the  abbreviation  £  p  =  1  or  p.  +  . . .  +  p  =1  meaning  that 

i  in 

exactly  one  of  the  p^'s  is  true. 

The  other  axioms  are  local  to  each  program.  For  these  axiom  schemata 
we  make  the  following  simplifying  assumptions  about  the  program: 

Assume  that  the  program  is  represented  as  a  directed  graph  whose  nodes 
are  the  program  locations  or  labels,  and  whose  edges  represent  transitions 
between  the  labels.  A  transition  is  an  instruction  of  the  general  form 
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c(y)  -*■  [y«-  f  (y)  ]  . 

c(y)  is  a  condition  (may  be  the  trivial  condition  true)  under  which  the 
transition  replacing  y  by  f(y)  should  be  taken,  y  =  y^,...,yn  t^ie 
vector  of  program  variables.  We  assume  that  all  the  conditions  c  ,  ....c^ 
on  transitions  departing  from  any  node  are  mutually  exclusive  and  exhaustive 
(i.e.  ,  I  c,  =1  )  . 

The  role  of  the  local  axioms  is  to  introduce  our  knowledge  about  the 
program  into  the  system.  Since  the  system  does  not  provide  direct  tools  for 
speaking  about  programs  (such  as  Hoare's  formalism),  the  local  axioms 
represent  the  program  by  characterizing  the  possible  state  transitions 
under  the  program  control. 

For  any  transition: 

we  can  generate  an  axiom  .  This  axiom  corresponds  to  a  "forward"  propa¬ 
gation  (derivation  of  the  strongest  postcondition)  across  the  transition  a  : 

F^:  (-  [at£  a  c(y)  a  y=r|]  DO(at£'  a  y=f(n))  • 

This  axiom  states:  If  at  any  state,  execution  is  at  £  ,  c(y)  hold,  and 
the  current  values  of  y  are  r|  ,  then  sometime  later  we  will  be  at  £' 
with  the  variables  y  =  f(n)  • 

A  different  approach  which  suggests  an  alternate  axiom  schema  is  obtained 
by  "backward"  substitution  (derivation  of  the  weakest  precondition): 

B^:  j-  [at£  a  c(y)  a  P ( f  (y) )  ]  DO(at£’  a  P(y))  , 

where  P(f(y))  denotes  the  substitution  of  f(y)  for  all  free  occurrences 
of  y  in  P(y)  .  This  form  of  the  axiom  expresses  the  effect  of  the 
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transition  on  an  arbitrary  predicate  P  (predicate  transformer).  It  says 
that  if  at2  a  c(y)  and  P(f(y))  hold,  then  we  are  guaranteed  to  even¬ 
tually  reach  2,’  with  P(y)  .  F  and  Ba  are  equivalent  and  can  be 

derived  from  each  other. 

Note  that  both  forms  ignore  the  fact  that  the  ’sometime*  guaranteed  is 
actually  in  the  immediately  next  instance.  This  is  a  consequence  of  the 
fact  that  we  can  only  guarantee  things  eventually  and  have  no  way  to  formu¬ 
late  properties  of  the  next  instance. 

Consider  for  example  the  following  program  over  the  integers  which 
raises  a  number  x^  to  an  integral  power  x^  ^  0  ,  assuming  that  (x^,x2) 
are  the  initial  values  of  the  variables  (y^^)  • 


The  local  backward  axiom  schemata  corresponding  to  this  program  are: 

Ba  :  b  [atS-Q  A  P(y1,y2,l)]  DOCat^  a  P(y1,y2,y3)) 

Bg  :  (-  [at a  y2=0  a  P]  DO(at23  a  P) 

by  :  f-  [at^  a  y2>0  a  odd(y2)  a  P(y1,y2-l,y1*y3>  ]  DOCatS^  a  P(y1,y2,y;})) 

B r  :  b  UtJL  A  yo>0  A  even(y0)  A  P(y  2  y„div2 ,y0) ]  Z>0(atJL  a  P(y. ,y„ ,y.J  ) 


D.  Derived  rules:  Before  demonstrating  a  proof  in  the  system  we  will 
develop  several  useful  derived  rules: 


a  □  -Generalization : 


I-  P  D  Q 
I-  DP  D  DQ 


This  is  obtained  by  application  of  modal  generalization  R3  and  the  use  of  A2. 


By  substituting  in  the  above  ~Q  for  P  and  ~P  for  Q  ,  we  obtain: 


0  0  -Generalization : 


l-PDQ 
HOP  D  OQ  * 


The  following  additional  rules  correspond  to  proof  rules  existent  in 
most  axiomatic  verification  systems.  (In  these  rules  interpret  P  DoQ 
and  P  DOQ  as  stating  the  partial  and  total  correctness  of  some  program 
segment  respectively.) 


Consequence :  H  p  p  Q,  H  Q  3QR,  H  R  P  S  . 

I-  P  DOS 


From  |—  R  d  S  (using  0  0  -Gen.)  we  obtain  f-OR  DOS  which  can  be  combined 
with  the  other  premises  to  lead  to  the  result. 


Concatenation: 


H  P  PQQ,  H  Q  DOR 
H  P  D  OR 


Here  we  derive  |-0Q  DOOR  by  the  00 -Gen  rule.  We  then  use  Theorem  T9 
([-OCR  DOR)  to  obtain  |-  OQ  DOR  .  The  conclusion  follows  by  propositional 
reasoning. 


A  derived  frame  rule  more  appropriate  to  step-by-step  transitions  is 
given  by: 


Frame  Rule: 


H  P  D  OQ 

H  (Paw)  D  0  (Q  a  w) 


provided 


w  contains  no  program  variables  or  propositions 


at  ^  . 


This  rule  is  a  simple  consequence  of  the  Frame  Axiom  (-  w  3  dw  and  of 
Theorem  T 7  (  |-  OQ  a  aw  D  0  (Q  a  w)  )  . 


We  will  also  need  some  rules  for  establishing  the  convergence  of  loops. 
These  rules  will  of  course  depend  on  the  domain  under  discussion  and  the 
induction  principle  provided  in  that  domain.  For  the  domain  of  natural 
numbers  we  already  mentioned  the  Induction  Theorem: 

□  [P(0)  DOiH  a  Vn  fo(P(n)  DO\p)  D  o  (P(n+1)  D  0i|>)  ]  D  o[P(k)D  Oip]  . 

Using  this  induction  theorem  we  can  derive  the  following  rule: 

Induction  Rule  1-  b  P(QLP.M,.  HpjPjnL2 0jP.L2^lP(n+l).?_0  j>) 

This  rule  says  that  if  P(0)  eventually  guarantees  ip  ,  and  if  for  any  n  , 
the  fact  that  P(n)  guarantees  ip  implies  that  P(n+1)  guarantees  , 
then  if  P(k)  is  true  for  some  k  ,  is  eventually  guaranteed.  This 

rule  is  useful  for  proving  convergence  of  a  loop,  if  for  example  we  have  a 

P  such  that  P(0)do^  and  across  the  loop's  body  P(n+1)  D  OP(n)  , 
implying  the  second  premise  of  the  rule. 

From  this  rule  we  can  derive  a  more  liberal  form  of  the  induction  rule. 

Tnin  i  i  TTn.ii-  «-  ^*(0)3  Oil/,  h  P(n+1)  DOWvP(n)) 

Induction  Rule  2:  - f-  (  3kP(kT)5  <5  ^ - 

Rule  2  is  more  liberal  than  Rule  1  since  it  does  not  require  us  to  give  an 
exact  estimate  of  the  number  of  repetitions  of  the  loop,  but  allows  instead 
an  estimate  of  an  upper  bound.  We  can  see  this  by  observing  that  in  the 
previous  case  we  required  that  P(n+1)  leads  to  P(n)  across  the  loop's 
body,  and  only  P(0)  ensures  ^  .  Thus  to  start  the  argument  we  have  to 

state  P(k)  where  we  expect  the  loop  to  be  executed  k  times.  In  Rule  2 


we  claim  that  for  each  n  ,  either  P(n+1)  implies  P(n)  across  the  loop, 
or  that  it  establishes  \p  and  no  further  execution  is  necessary.  Thus 
P(k)  ensures  that  either  the  loop  is  executed  at  most  k  times  and  4*  is 
established  on  the  last  iteration  or  earlier. 

2.  Total  Correctness  -  Example  and  Discussion 

Let  us  use  this  system  to  establish  the  correctness  of  the  example 

*0. 

program  P2  computing  x^  .  We  will  prove  that 

x2 

(-  [atJtQ  a  (y1,y2)  =  (x1#x2)  a  x^O]  D  0  (at2,3  a  y3  -  x1  )  , 

namely:  If  we  are  in  any  state  at  Zq  with  y =  x  then  there  exists  a 

X2 

state  in  which  we  are  at  Z£  and  y3  =  x^ 

In  the  proof  below  we  use  the  backward  form  of  the  axioms.  The  proof 
proceeds  as  follows: 

y  x 

1.  |-  [at£Q  a  (y1,y2)  =  (x1,x2)  a  x2iO]  D  [af^Q  A  y2  5  0  A  2  ~  ^  2] 

A  Z-valid  formula. 

y  x  y  x 

2.  (-  [at£0  a  y2*  0  a  l’y1  2*x1  2]  ^Olat^  a  y2  >  0  a  y^y-j^  2  “  Xx  2] 

y  x 

By  Ba  with  PCy^y^y-j)  =  (y2  *  0  a  y3’y1  2  -  ^  2)  . 

y2  X2 

3.  (-  [at£Q  a  (y1,y2)  =  (x1,x2)  a  x2*0]D  OfatJ^  a  y2  *  0  a  y-j^  *  x3  ] 
By  Consequence  1,2. 

Denote  now: 

y2  x2 

Q(n,y)  :  ati^  a  0  C  y2  <  n  a  y3'y1  ”  Xx 


Using  Induction  Rule  2,  we  will  establish 


(*)  h  (3kQ(k,y))D  0(atAe  a  y^^  *) 


2 

where  we  take  ip  =  (at&e  a  )  . 

Applying  the  Consequence  Rule  to  3,  we  have: 

A.  (-  [atjLQ  a  (y1,y2)  =  (x1#x2)  a  XjiO]  DOQ(y2>y) 
which  establishes  3kQ(k,y)  by  taking  k =  y2  . 

In  order  to  use  the  Induction  Rule  2,  we  show  first  Q(0,y)  D  0\p  :  !i 
that  Q(0,y)  implies  y2  =  0  . 

X2 

5.  |-  Q(0,y)  Do[at£.j  a  y^  =  x^  ]  ,  hence  »  by  and  Consequences. 

We  now  proceed  to  show  by  case  analysis  that 

b  Q(n+l,y)  D  0[\p  vQ(n,y)]  . 

x2 

6.  b  [Q(n+l,y)  A  y2»0]  D  0[a tl^  a  y3  =  ]  ,  hence  0<J>  , 

by  B0  and  Consequences. 

P 

7.  b  tQ(n+l,y)  a  y2>0  A  odd(y2)]  D  <>Q(n,y) 

by  ,  logic  and  Consequences. 

8.  b  tQ(n+l,y)  a  y2>0  a  even(y2>]  D  OQ(n,y) 

by  B-  ,  logic  and  Consequences, 
o 

In  the  proof  of  8  we  use  the  fact  that  0  <  y2  <  n+1  Implies  0  £  y2div2  $  n 

x? 

9.  b  Q(n+l,y)  D  of(atJte  a  yf^  )  V  Q(n,y)] 

by  taking  the  "or"  of  6,  7,  8,  propositional  reasoning  and  T4. 

By  the  Induction  Rule  2  we  get  from  5  and  9: 


10.  \- 3kQ(k,y)  D  0[at2,gA  y^  -  x^^  *]  . 

Combining  4  and  10  with  Concatenation  and  Consequences,  we  get: 

x2 

11.  j-  [ati0  a  (y1,y2)  -  (xlfx2)  a  x^£  0]  D  Ofat&j  A  y3  «  xx  ]  . 

This  concludes  the  proof  of  total  correctness  of  our  example  program. 

Clearly,  a  statement  of  the  form 

[atf,  a  P]  D  0[at2 1  a  P*  ] 

is  exactly  a  formalization  of  the  typical  "intermittent  assertion": 

"If  sometime  P  at  2,  then  sometime  P'  at  2.'  ." 

Thus  we  are  justified  in  regarding  this  modal  system  as  the  most  appropriate 
formalization  of  the  Intermittent-Assertion  method. 

When  we  investigate  the  "power"  of  the  system  we  find  that  it  is  adequate 
for  proving  valid  eventualities,  i.e.,  properties  of  the  form: 

P  D  OQ 

which  are  valid  for  programs  over  the  given  domain.  For  this  reason  we  named 
this  system  the  "sometime"  system. 

Unfortunately  this  system  is  inadequate  for  proving  invariance  properties 
such  as  partial  correctness  and  global  properties.  This  deficiency  is  not 
a  flaw  in  the  logic  formalism  itself,  bit  in  the  failure  of  the  local  axioms 
to  capture  exactly  the  execution  sequences  of  the  given  program  and  nothing 
more.  While  [at2,  a  Pi  D0[at2'  a  P'3  guarantees  that  2,'  will  be  reached 
sometime  in  the  future,  we  have  no  way  to  specify  that  2-'  is  actually 
reached  in  the  next  immediate  state.  This  does  not  hurt  us  when  we  prove 
eventualities  since  we  do  not  care  about  intermediate  states  other  than 
those  explicitly  mentioned.  But  in  order  to  claim  invariance,  we  have  to 


keep  track  of  all  Intermediate  states,  and  then  we  must  be  able  to  describe 
what  happens  In  the  next  Immediate  state. 


3.  The  Nexttime  System 

In  order  to  correct  this  deficiency  we  introduce  an  additional  modal 
operator  into  our  system.  This  is  the  next  instance  operator,  denoted 
by  O  . 

A  semantic  model  for  the  extended  system  will  now  consist  of  a  set  of 

t 

states  and  an  immediate  accessibility  relation  p  connecting  some  of  these 
states,  p  corresponds  to  the  next  or  immediate  future  relation.  In  any 
such  universe  (model)  we  define  R  to  be  the  reflexive  transitive  closure 
of  p  which  therefore  gives  it  the  meaning  of  "present  or  eventual  future". 
Semantic  truth  in  a  state  s  in  such  a  universe  is  now  defined  (extending 
the  previous  definition)  as: 

|  □  w|  =  Vs'[R(s,s')  D  |  w |  » ] 

o  o 

|0w|s  =  38'[R(s,8')  a  |w|s,] 

I  Owl  =  3s'[p(s,s')  A  I W  |  » ] 

S  o 

This  extended  system  is  aptly  called  the  nexttime  system. 

Following  we  present  an  axiomatic  system  for  the  'nexttime'  logic. 

Where  it  differs  very  little  from  the  'sometime'  system,  we  will  only  mark 
the  differences. 

A.  General  Part: 

Axioms: 

Cl.  j-0~w  =  ~ciw 

C2.  f-  o(w1  D  w2)  D  (Qw^  Do  w2) 
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C3.  |—  ow  D  w 

C4.  (-0(~w)  =~  O(w) 

C5.  }-0(w^D  W2)  3  (Ow^DOw^) 

C6 .  [-  □  w  3  O  w 

C7.  (-  aw  DOdw 

C8  (—  o(wDOw)  D  (wDQw) 

PI.  |~  [Vxw(x)]  D  w(t)  where  t  is  "free  for  x"  in  w  . 

P2  |—  (VxOw)  D  (□  Vxw) 

P3  (—  (VxOw)  D  (OV  xw)  . 

C1-C3,  PI,  P2  are  the  same  as  A1-A3,  PI,  P2  in  the  'sometime'  system.  C4 
claims  the  uniqueness  of  the  next  instance.  C5  is  the  analogue  of  C2  for 
the  O  operator.  C6  claims  that  the  next  state  is  one  of  the  reachable 
states.  It  also  guarantees  that  each  state  has  a  successor.  (In  order  to 
satisfy  this  requirement  in  the  programming  context  we  stipulate  that  each 
exit  label  in  the  program's  graph  is  connected  to  itself  by  a  trivial 
transition.)  C7  is  a  weaker  version  of  A4  ((-dwDdqw)  in  the  'sometime' 
system  and  can  be  used  together  with  C8  to  prove  this  as  a  theorem  in  the 
’nexttime'  system.  C8  is  the  "computational  induction"  axiom;  it  states 
that  if  a  property  is  inherited  over  one  step  transition,  it  is  invariant 
over  any  path. 

Rules  of  Inference:  Identical  to  R1-R4  of  the  'sometime'  system. 

A  simple  theorem  of  this  system  is: 

T12:  (-  Ow  DOw 

obtained  by  negation  of  C6  and  applications  of  Cl  and  C4. 
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B.  Proper  part:  Since  the  proper  part  consists  solely  of  first-order 
axioms,  it  is  identical  with  the  proper  part  of  the  'sometime'  system. 

C.  Local  part:  The  Frame  and  Location  Axioms  remain  the  same.  The  main 
difference  is  in  the  local  axioms  which  now  describe  transitions  between  a 
state  and  its  immediate  successor.  For  a  transition 

Q.c(y)  ±lE±i  (y>l0 

we  generate  the  "forward"  axiom  Ffl  : 

Fa:  J-  [at£  a  c(y)  A  y  =  n]  3  0(at&'  a  y=f(n))  , 
and  similarly  the  "backward"  axiom  schema: 

Ba:  (-  [at*  a  c(y)  a  P(f(y))]  D  O  (atV  a  P(y))  . 

By  the  theorem  (-  Ow  D  Ow  ,  we  have  that  (-  D  F^  .  Therefore  any 

proof  in  the  'sometime'  system  is  automatically  carried  over  to  the  'nexttime' 
system.  Consequently  the  'nexttime'  system  is  also  adequate  for  proving 
total  correctness  and  other  eventualities.  In  addition  it  is  also  adequate 
for  proving  invariance  properties. 

A.  Proof  of  Invariance 

Let  us  consider  now  a  typical  proof  of  invariance.  Let  Q  be  an 
inductive  program  property.  Intuitively  this  means  that  Q  is  true  of 
the  initial  state  and  is  preserved  under  any  program  step.  Thus  we  have 

(a)  |~  D  Q 

for  the  input  predicate  <P  . 

Also  for  any  transition  a:  c(y)  -+  [y«-f(y)]  ,  we  have 

(b)  J-  c(y)  a  Q(y)  D  Q(f(y))  . 
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Let  £  be  any  label  In  the  program  and  let  Its  outgoing  transitions 
be  leading  to  respectively.  Assume  each  transition  to  be 

ai:  ci^  ly-*-  f^(y)]  •  We  have  already  assumed  that  V  c^(y)  =  true  . 

For*  any  i  we  have 

(-  [at£  a  ci(y)  a  Q(y)  ]  D  [at£  a  c^y)  a  Qd^y))] 
by  the  inductiveness  of  Q  ,  i.e.,  (b). 

f-  [at£  a  ci(y)  a  Q(f ± (y) ) ]  D  O (at£i  a  Q(y)) 
by  the  local  backward  axiom  B 

ai 

Combining  the  last  two  we  get: 

|-  [at£  a  c±(y)  a  Q(y)]  3  O (ati^  a  Q(y))  , 
from  which,  by  Consequence,  we  get: 

b  [at£  a  ci(y)  a  Q(y) ]  D  O  Q(y)  . 

Since  the  above  was  obtained  for  an  arbitrary  i  we  can  take  the 
logical  'or'  of  all  these  statements  over  all  i's  .  Using  the  fact  that 
y =  true  ,  we  obtain: 

b  lati-  A  Q Cy) ]  D  OQ(y)  . 

Taking  the  disjunction  over  all  program  labels  l  G  and  using 

the  location  axiom  which  states  that  V  at£ =  true  ,  we  get: 

l 

b  Q(y)  °Q(y)  • 

Hence  by  Generalization  (R3) 

b  Q(Q(y)  D  °Q(y))  • 

By  the  induction  axiom  C8  we  get: 

b  Q(y)  ^DQ(y)  . 


Consider  now  an  initial  state  at  which  we  have  at£g  and  'P  true.  By 

(a)  i p  implies  Q  ,  from  which  we  conclude 

h  [atJtQ  a^]  D  DQ(y)  , 

which  establishes  the  invariance  of  Q  . 
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